SAP-C02 第 246 题
题目
A company needs to create and manage multiple AWS accounts for a number of departments from a central location. The security team requires read-only access to all accounts from its own AWS account. The company is using AWS Organizations and created an account for the security team. How should a solutions architect meet these requirements?
中文翻译:
公司需要从一个中心位置为多个部门创建和管理多个 AWS 账户。安全团队需要从其自己的 AWS 账户对所有账户进行只读访问。该公司正在使用 AWS Organizations 并为安全团队创建了一个账户。解决方案架构师应该如何满足这些要求?
选项
A. Use the OrganizationAccountAccessRole IAM role to create a new IAM policy with read-only access in each member account. Establish a trust relationship between the IAM policy in each member account and the security account. Ask the security team to use the IAM policy to gain access.
中文翻译:
使用 OrganizationAccountAccessRole IAM 角色在每个成员账户中创建具有只读访问权限的新 IAM 策略。在每个成员账户中的IAM策略和安全账户之间建立信任关系。要求安全团队使用 IAM 策略来获取访问权限。
B. Use the OrganizationAccountAccessRole IAM role to create a new IAM role with read-only access in each member account. Establish a trust relationship between the IAM role in each member account and the security account. Ask the security team to use the IAM role to gain access.
中文翻译:
使用 OrganizationAccountAccessRole IAM 角色在每个成员账户中创建一个具有只读访问权限的新 IAM 角色。在每个成员账户中的IAM角色和安全账户之间建立信任关系。要求安全团队使用 IAM 角色来获取访问权限。
C. Ask the security team to use AWS Security Token Service (AWS STS) to call the AssumeRole API for the OrganizationAccountAccessRole IAM role in the management account from the security account. Use the generated temporary credentials to gain access.
中文翻译:
要求安全团队使用 AWS Security Token Service (AWS STS) 从安全账户中调用管理账户中 OrganizationAccountAccessRole IAM 角色的 AssumeRole API。使用生成的临时凭据来获取访问权限。
D. Ask the security team to use AWS Security Token Service (AWS STS) to call the AssumeRole API for the OrganizationAccountAccessRole IAM role in the member account from the security account. Use the generated temporary credentials to gain access.
中文翻译:
要求安全团队使用 AWS Security Token Service (AWS STS) 从安全账户中调用成员账户中 OrganizationAccountAccessRole IAM 角色的 AssumeRole API。使用生成的临时凭据来获取访问权限。
答案
B
解析
正确答案:B 解析: 本题应选择 B。 正确选项: B. 使用 OrganizationAccountAccessRole IAM 角色在每个成员账户中创建一个具有只读访问权限的新 IAM 角色。在每个成员账户中的IAM角色和安全账户之间建立信任关系。要求安全团队使用 IAM 角色来获取访问权限。 选择理由: 该选项最直接地满足题干中的关键约束。做 SAP-C02 题目时,需要同时对照题干里的限定词,例如最高性能、最低运维开销、成本效益...